---
id: sign-in-with-github-google-facebook-linkedin
title: Sign in with GitHub, Google, Facebook, LinkedIn, Microsoft ...
---

In this document we will take a look at setting up "Sign in with GitHub" using
ORY Kratos.

Run the [Quickstart](../quickstart.mdx) with Docker Compose:

```shell script
# This assumes that you have ORY Kratos checked out locally and
# that your current directory ("pwd") is the folder where ORY Kratos
# is.

$ make quickstart
```

## GitHub

To set up "Sign in with GitHub" you must create a
[GitHub OAuth2 Client](https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app/).

Set the "Authorization callback URL" to:

```
http://127.0.0.1:4455/.ory/kratos/public/self-service/browser/flows/strategies/oidc/callback/github
```

The pattern of this URL is:

```
http(s)://<domain-of-ory-kratos>:<public-port>/self-service/browser/flows/strategies/oidc/callback/<provider-id>
```

The provider ID must point to the provider's ID set in the ORY Kratos
configuration file (explained in further detail at
[OpenID Connect and OAuth2 Credentials](../concepts/credentials/openid-connect-oidc-oauth2.mdx)).

:::note

GitHub does not implement OpenID Connect. Therefore, ORY Kratos makes a request
to
[GitHub's User API](https://developer.github.com/v3/users/#get-the-authenticated-user)
and adds that data to `std.extVar('claims')`. Check out what data is available
at
[GitHub's Scope Docs](https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/).
Not all GitHub fields are supported however. Check the list of supported fields
[in Kratos' source code](https://github.com/ory/kratos/blob/v0.2.1-alpha.1/selfservice/strategy/oidc/provider_github.go#L72-L98).

:::

As explained in
[OpenID Connect and OAuth2 Credentials](../concepts/credentials/openid-connect-oidc-oauth2.mdx),
you must also create a Jsonnet code snippet for the provider. Save the code in
`<kratos-directory>/contrib/quickstart/kratos/email-password/oidc.github.jsonnet`.
The following schema takes `email_primary` and maps it to `traits.email`:

```json title="contrib/quickstart/kratos/email-password/oidc.github.jsonnet"
local claims = {
  email_verified: false
} + std.extVar('claims');

{
  identity: {
    traits: {
      // Allowing unverified email addresses enables account
      // enumeration attacks, especially if the value is used for
      // e.g. verification or as a password login identifier.
      //
      // Therefore we only return the email if it (a) exists and (b) is marked verified
      // by GitHub.
      [if "email" in claims && claims.email_verified then "email" else null]: claims.email,
    },
  },
}
```

Now, enable the GitHub provider in the ORY Kratos config located at
`<kratos-directory>/contrib/quickstart/kratos/email-password/.kratos.yml`.

```yaml title="contrib/quickstart/kratos/email-password/.kratos.yml"
# $ kratos -c path/to/my/kratos/config.yml serve
selfservice:
  strategies:
    oidc:
      enabled: true
      config:
        providers:
          - id: github # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
            provider: github
            client_id: .... # Replace this with the OAuth2 Client ID provided by GitHub
            client_secret: .... # Replace this with the OAuth2 Client Secret provided by GitHub
            mapper_url: file:///etc/config/kratos/oidc.github.jsonnet
            scope:
              - user:email
```

Next, open the login endpoint of the SecureApp and you should see the GitHub
Login option!

## Microsoft

This will enable you to log in using any Azure AD directory - Multitenant and
personal Microsoft accounts (e.g. Skype, Xbox) depending on the settings made
when creating the application in Azure AD.

To set up "Sign in with Microsoft" you must first register an application
[Register an application with the Microsoft identity platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).

It might be nessecary to enable the implicit grant flow for access tokens and ID
tokens.

Set the "Authorization callback URL" to:

```
https://public.server.fqdn.example.org/.ory/kratos/public/self-service/browser/flows/strategies/oidc/callback/azuread
```

The pattern of this URL is:

```
http(s)://<domain-of-ory-kratos>:<public-port>/self-service/browser/flows/strategies/oidc/callback/<provider-id>
```

```json title="contrib/quickstart/kratos/email-password/oidc.azuread.jsonnet"
# claims contains all the data sent by the upstream.
local claims = std.extVar('claims');
{
  identity: {
    traits: {
      // Allowing unverified email addresses enables account
      // enumeration attacks, especially if the value is used for
      // e.g. verification or as a password login identifier.
      //
      // If connecting only to your organization (one tenant), claims.email is safe to use if you have not actively disabled e-mail
      //verification during signup.
      email: claims.email
    },
  },
}
```

Also see ["Disable email verification during customer sign-up in Azure Active
Directory B2C"] for warnings.

Enable the Microsoft Azure provider in the ORY Kratos config located at
`<kratos-directory>/contrib/quickstart/kratos/email-password/.kratos.yml`.

```yaml title="contrib/quickstart/kratos/email-password/.kratos.yml"
selfservice:
  strategies:
    oidc:
      enabled: true
      config:
        providers:
          - id: azuread
            provider: generic
            auth_url: https://login.microsoftonline.com/{TENANTID}/oauth2/v2.0/authorize
            token_url: https://login.microsoftonline.com/{TENANTID}/oauth2/v2.0/token
            issuer_url: https://login.microsoftonline.com/{TENANTID}/v2.0
            client_id: {CLIENTID_FROM_AZURE_PORTAL} (Application (client) ID)
            client_secret:  {SECRET_FROM_AZURE_PORTAL} (from certificates & secrets)
            mapper_url: file:///etc/config/kratos/oidc.azuread.jsonnet
            scope:
              - profile
              - email
```

Azure AD is now an option to log in to kratos.

## Google, LinkedIn, Facebook

Connecting with other Social Sign In providers will be very similar to the
GitHub flow. If you've managed to do it, add to this document by writing it down
and making a PR! :)
